WhatsApp. Facebook Messenger, Signal. These are just a few of the many messaging services people use to communicate with each other every day.
In a digitized age, many have transitioned from using SMS and phone calls to these Internet-based messaging services, as they offer a wider variety of user interactions, and help to facilitate communication between people across the globe without being subject to international call or text fees inherent to traditional phone communications.
While these applications are convenient and usually free to download, they each come with certain security risks. The data their parent companies collect on their users has long been a subject of controversy in the ongoing battle for consumer privacy, and while all of these applications offer security measures, they are still targeted by hackers for a variety of scams.
How does one best manage their need to communicate with the reality that some apps have security concerns stemming from outside actors and the apps themselves?
How do hackers exploit messaging apps?
As with any online accounts, messaging app accounts can be stolen or phished by hackers that are wily enough, or because of users that are careless enough. Once someone has access to an account, they can phish your contacts, send misleading and/or malicious messages, and make anyone wary to receive a message from you ever again.
As mentioned in our phishing blog, the best practice here is common sense. Do not click on suspicious links, ensure your login methods are secure and feature MFA, and take notice of when you are being sent unusual messages from a seemingly known contact.
On top of this, if you are ever unsure of the person you are messaging, do not share any sensitive information (such as banking info or social insurance numbers) that you would not want to be stolen. These tips feature heavily across our blogs and content for one simple reason: they're the best course of action for dealing with these attacks.
But what if the problem is not malicious actors trying to access control of your account, but rather control of your data?
Most widely used messaging apps utilize some form of encryption to protect their users' messages. Meta's messaging platforms (which include WhatsApp, Facebook Messenger, and Instagram) have End-to-end encryption (E2EE) as an option to protect user messages, but for much of their history, this option was opt-in only, and users would have to know to enact it to keep them secure.
Recently, Facebook announced it will begin testing E2EE as the default method for all messaging, a welcome choice that should have probably been introduced long ago. Whatever messaging platform you use, ensure that you are aware of its encryption capabilities, and enact them if they are not automatically in place.
How are messaging apps treating their security?
Facebook's E2EE-as-default announcement, which can be seen as both a welcome step in the right direction and long overdue, highlights the mixed track record some messaging platforms have regarding privacy. Popular messaging apps have not always taken the best approach to their user security and safety, and have often had to pay the price for their own lax efforts.
Last September, WhatsApp was fined $266 million by the EU for its lack of transparency regarding its handling of user information. JusTalk, a popular messaging app in Asia with more than 20 million users that purports to both be secure and encrypted, was recently found by TechCrunch to be completely insecure, with its servers sitting on a huge cache of personal data and call logs from users.
These stories should serve as a reminder that users should take the security assurances of any messaging platform with a grain of salt. But, if you do choose to message with specific apps, it would be in your best interest to regularly update them for the latest security software.
Similarly to what we mentioned in our secure browsing blog, messaging services and the companies that run them are well-aware of the target on their backs, and will often update their software in accordance with industry-wide security practices. While constant updates may come as a nuisance for some users, they reflect the reality that hackers are constantly finding new ways to exploit software and the people who use it.